Insider threats in the Healthcare Sector – HHS Warning

On April 21st,  2022, the Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) issued a warning on the risk to the healthcare sector from malicious insiders.  It was due to an increase in internal data breaches involving individuals within  healthcare organizations, such as employees, contractors, and business associates.


HHS Warning to the HPH Sector about insider threats: 


The HHS defined an insider threat in the Healthcare and Public Health (HPH) Sector as  “potentially a person within a healthcare organization, or a contractor, who has access to assets or inside information concerning the organization’s security practices, data, and computer systems. The person could use this information in a way that negatively impacts the organization”.

According to different research done and analysis, there is a visible increase in the number of organizations experiencing cyber security incidents. The Ponemon Institute global report of 2022 stated that 67 percent of companies are experiencing between 21 and more than 40 incidents per year. Which is an increase from 60 percent in 2020 and 53 percent in 2018 of companies having between 21 and more than 40 incidents.


Frequency of companies experiencing cyber security incidents

Source: Ponemon Institute 2022 cost of insider threats global report


The warning adds, “While most companies invest more money on insider threats with malicious intent, negligent insider threats are more common.”


Malicious insiders are defined as those who have a grudge against an organization and act on it. Studies have shown that they offer less of a threat to organizations than negligent insiders who pose bigger risks to the health sector. 


According to the Ponemon Institute’s ‘2020 Insider Threats Report:

  • Malicious Insiders – 14 percent of Insider Threat Incidents
  • Negligent Insiders – 61 percent of Insider Threat Incidents
  • Negligent Insiders (credentials stolen) – 25 percent of Insider Threat Incident”



Percentage of insiders types 

Source: Ponemon Institute 2022 cost of insider threats global report


Third parties are also a type of insider threat. Ninety-four percent of organizations give third parties access to their systems. In 72 percent of case studies, third-party vendors had advanced permissions on said systems. Additionally, “disgruntled employees” pose a significant risk because they access an organization’s systems and are considered “emotional threat actors.” 


As for what organizations can do to prevent insider threats, some criteria include:

  • Revising and updating cybersecurity policies
  • Limiting privileged access and establishing role-based access control
  • Implementing the zero-trust and multi-factor authentication models
  • Backing up data and deploying data loss prevention tools
  • Managing USB devices across the corporate network


Cybercrime groups leading insider breaches


The motive of insiders can differ from one to another. Some of them use personal data for their own benefits whether to gain financial compensation, get access to valued data or for references. However, some insider agents work on behalf of external groups to compromise an organization’s network and carry out data breaches or other attacks. 

Prior to HHS Warning about insider threats, they issued a threat brief about tactics used by the cyber criminal group Lapsus$. 


The Lapsus$ group hack of Okta and subsequent breaches at healthcare organizations brought the risk to all organizations from malicious insiders.

HHS’s definition of insider threats aligns with tactics used by Lapsus$. Their strategy was to recruit disgruntled employees using Telegram. Instead of stealing data directly, the group primarily relied on requesting guidance and legitimate credentials to the internal network via a VPN or Citrix. 


Find out more about Lapsus$ through this report published by HHS, on 7th April 2022, entitled Lapsus$ the health sector.


Cases of health sector based insider threats


Because they are genuine and care about people, most people want to work in the healthcare sector and create a career there. Like any other institution, hospitals must manage a diverse group of individuals, some of whom are less than trustworthy. Some insider threats straddle the line between maliciousness and a lack of privacy awareness. Others are well-organized attempts to extract as much personal information as possible over long periods and sell it for a profit.

Internal data breaches within the health sector are numerous due to neglect, unawareness, or malicious intent. For that reason, we’ve prepared some cases that happened before.


Children’s Healthcare of Atlanta – 2013: Sharon McCray worked as a senior audit advisor for Children’s Healthcare of Atlanta. On the day she quit, McCray began sending patient medical documents from her company email to her email. When confronted, she claimed that she had emailed the information for “future employment reference.”


Florida Hospital – 2015: Florida Hospital was the victim of two internal data breaches from 2011-to 2014. Their employees, Dale Munroe and Katrina Munroe were accused of selling patient information to chiropractors and lawyers in the first health data leak. According to, the duo did not need to access the patient data in the first place as part of their usual tasks.

The second data breach was detected in May 2014, and it involved two employees printing patient information outside of their regular work hours. Medical records for 9,000 Florida Hospital patients were potentially exposed in that event between January 2012 and May 2014. According to hospital officials, the event was reported to the hospital by law enforcement.


Woodwinds Hospital: An employee at Woodwinds Hospital in Minnesota was fired and took 200 pages of confidential material home to get revenge. She planned to use the material to expose the hospital, which she claimed had committed several medical malpractices.


Holland Manor Eldercare: Smaller healthcare facilities that offer assisted care are not immune to insider breaches. For instance, the facility manager of Hollard Manor Eldercare, an assisted living facility in Towson, Maryland, applied for six credit cards using the names and Social Security numbers of three residents. Then, using those credit card accounts, the manager made over $75,000 in purchases and faced a sentence of up to 30 years in jail.


Internal data breaches are becoming a more common security problem, whether in the health care sector or other industries, proving tough to resolve. The ultimate way to secure your organization is to train your users and workers on how to spot and disclose an insider danger or prevent them from becoming one unwittingly.

Many open-source resources on insider threats, such as HHS Warning, provide factual information about insider threats in the healthcare sector. There are also training programs and educational materials for organizations and their employees. These include explanations of suspicious activity and behavioral changes employees should be looking for in colleagues, and when and to whom to report it to.


More Topic